Stellar Exam
Stellar Exam
Stellar Exam
• A threat is the agent or actor that can or intends to cause harm via a
Vulnerability.
• A threat is the flaw that can be exploited to cause harm via a
vulnerability.
• A threat is the intersection of a vulnerability and the risk of harm.
• A threat is the code or technique by which vulnerabilities are taken
advantage of.
10. When building dictionaries foe password attacks, which of the following
commands demonstrates one way to ensure there aren’t duplicate entries
within your list?
• $ mysql < wordlist.txt | select * where X = % > dictionary.txt
• $ cat wordlist.txt-dup > dictionary.txt
• $ cat wordlist.txt | grep -v duplicates | > dictionary.txt
• $ cat wordlist.txt | sort | uniq > dictionary.txt.
11. Azure Active Directory is an example of which type of cloud service platform?
• PaaA (Platform as a Service)
• SaaS (Software as a Service)
• CaaS (Computing as a Service)
• IaaS (Infrastructure as a Service)
12. During the reconnaissance phase of a penetration test, which location is a good
place to determine the type of antivirus product that a company uses?
• Outbound Email footer
• Dumpster
• Phone records
• Public facing website.
13. You want to find out what ports a system is listening on. What is the correct
command on a Linux system?
• fport /p
• lsof -nao
• tasklist /v
• netstat -nap
14. Analyze the excerpt from a packet capture below. Given the host is up, what
conclusion can be correctly drawn about host 192.168.116.101?
• It is providing services only on port 139/TCP.
• It is redirecting traffic on behalf of another host.
• It is resetting connection attempts on tcp ports 130-140
• It is not responding to connection attempts on tcp ports 130-140.
15. Analyze the screenshot below. Which of the following sets of results will be
retrieved using this search?
16. Your company has been hired to conduct a penetration test against a large,
multinational organization. They would like you to test their entire
organization, which consists of approximately 10,000 IP address. In order to cut
down on the time and costs associated with the test would like to limit the
scope of the port scan. Which of the following would be best to use if the
company was willing to provide you with whatever network data you required?
• Scan only a subset of all ports that are possibly in use.
• Scan only a subset of the target servers in each subnet.
• Scan only the ports that are listed as open by the perimeter firewall
ruleset.
• Scan only a certain percentage of al systems in the company.
17. You are pen testing a system and want to use Metasploit to open a listening
port on the system to be accessed via Netcat. Which stager would you use to
have the system listen on TCP port 50000?
• findtag_ord
• reverse_tcp
• passive
• bind_tcp
18. The scope of a test is limited to server-side applications. Which of the following
actions is allowed in this test?
• Sending a malicious pdf to a user and exploiting a vulnerable Reader
version.
• Leaving malicious flash drives in the employees work areas.
• Attempting to upload content to a vulnerable internal IIS server.
• Attempting to get a user to reveal his password through social
engineering.
21. You are pen testing a Windows System remotely via Netcat. You want to get a
listing of all the local users on the system, what command would you use?
• net user
• net localuser
• net account
• net name
22. You are pen testing a Windows system remotely via Netcat. You want to gather
information on remote systems that the target has communicated with
recently. What command could you use?
• ipconfig /displaydns
• net displaydns
• ifconfig /displaydns
• net /displaydns
23. Finding and reporting vulnerabilities in a system without the intent to exploit
them is an example of what practice?
• Penetration Testing
• Compliance Auditing
• Ethical Hacking
• Vulnerability Assessment.
24. How can an organization’s security team protect against credential stuffing
attacks?
• Issue a cease-and-desist order on websites that publish breach
information.
• Train employees on the use of a password manager.
• Require initial passwords be changed upon first login.
• Use the login API of a secondary organization to authenticate.
25. What section of the penetration test or ethical hacking engagement final report
is used to communicate the agreed upon scope of the test?
• Introduction.
• Conclusions.
• Findings.
• Executive Summary.
26. A hacker has discovered that the C:\ path on a Windows machine is writable.
They install an executable called Program.exe in C:\ to try to trick the Windows
service controller into running it with elevated privileges. What vulnerability is
the hacker exploiting?
• Group Policy Preferences (GPP)
• DLL search order hijacking
• Writable Windows Service executables
• Unquoted paths with spaces.
27. While executing an Nmap NSE scan of a target network, the objective of the
scan is to avoid logs or otherwise impacting the target network. Which category
of Nmap scripts should be avoided?
• Malware
• Intrusive
• Discovery
• Safe
28. You are completing a penetration test in which client-side exploit are in scope.
You’ve loaded a weaponized PDF onto a server and sent a crafted email to the
target. Which of the following is required for this attack to succeed?
29. What factual conclusion can be drawn from the following output after issuing
Nmap with the “-A” parameter?
• Firewall service running on port 8081.
• Fingerprint not recognized for service on port 8081.
• nmap-service-probe file could not be found.
• “—version-trace option” is set.
30. During the reconnaissance phase of a penetration test, the tester finds the
current message board posting shown below from an employee of the
corporating being tested. What conclusion can be drawn about the
corporation´s current security situation?
31. You are pen testing a Windows system remotely via Netcat. You want to get a
listing of all the local users in the administrators group. What command would
you use?
• net localgroup administrators
• net account administrators
• net localuser administrators
• net user administrators
35. Which of the following TCP packet sequences are common during a SYN (or
half-open) scan?
• The scanning computer sends SYN and a SYN-FIN is received from the
target computer.
• The scanning computer sends SYN-ACK and the target computer
responds with RST-ACK.
• The scanning computer sends SYN-ACK and no response is received
from the target computer.
• The scanning computer sends SYN and the target computer responds
with RSAT-ACK.
36. What does the command, “./john --test” do?
• John will display statistics about how many combinations per second it
can perform on a given machine.
• John will test the system configuration to ensure that it is installed
correctly.
• John will verify the configurations file for errors.
• John will print an estimate of the time it needs to crack a given
password file.
37. During the pentest, Maria, the head of the blue team, discovered that the new
online service has problems with the authentication mechanism. The old
password can be reset by correctly answering the secret question, and the
sending form does not have protection using a CAPTCHA, which allows a
potential attacker to use a brute force attack. What is the name of such an
attack in the Enumeration of Common Disadvantages (CWE)?
• User impersonation.
• Weak password recovery mechanism.
• Verbose failure messages.
• Insecure transmission of credentials.
39. Which of the following types of attack does the use of Wi-Fi Pineapple belong
to run an access point with a legitimate-looking SSID for a nearby business?
• MAC spoofing attack
• Evil-twin attack
• Phishing attack
• Wardriving attack
44. Whois services allow you to get a massive amount of valuable information at
the stage of reconnaissance. Depending on the target's location, they receive
data from one of the five largest regional Internet registries (RIR). Which of the
following RIRs should the Whois service contact if you want to get information
about an IP address registered in France?
• LACNIC
• APNIC
• RIPE NCC
• ARIN
45. The cyber kill chain is essentially a cybersecurity model created by Lockheed
Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and
helps security teams to stop the attacks at every stage of the chain. At what
stage does the intruder transmit the malware via a phishing email or another
medium?
• Delivery
• Actions on Objective
• Weaponization
• Installation
46. Black-hat hacker Ivan attacked the SCADA system of the industrial water
facility. During the exploration process, he discovered that outdated equipment
was being used, the human- machine interface (HMI) was directly connected to
the Internet and did not have any security tools or authentication mechanism.
This allowed Ivan to control the system and influence all processes (including
water pressure and temperature). What category does this vulnerability belong
to?
• Credential Management.
• Code Injection.
• Lack of Authorization/Authentication and Insecure Defaults.
• Memory Corruption.
47. You need to identify the OS on the attacked machine. You know that TTL: 64
and Window Size: 5840. Which is OS running on the attacked machine?
• Windows OS.
• Linux OS.
• Mac OS.
• Google’s customized Linux.
48. Which of the scenarios corresponds to the behaviour of the attacker from the
example below:
The attacker created and configured multiple domains pointing to the same
host to switch quickly between the domains and avoid detection.
• Data staging.
• Unspecified proxy activities.
• DNS tunnelling.
• Use of command-line interface.
52. Ivan, a black hat hacker, got the username from the target environment. In
conditions of limited time, he decides to use a list of common passwords, which
he will pass as an argument to the hacking tool. Which of the following is the
method of attack that Ivan uses?
• Dictionary attack.
• Known plaintext attack.
• Smudge attack.
• Password spraying attack.
54. When scanning with Nmap, you found a firewall. Now you need to determine
whether it is a stateful or stateless firewall. Which of the following options is
best for you to use?
• -sT
• -sA
• -sM
• -sO
55. Identify Google advanced search operator which helps an attacker gather
information about websites that are similar to a specified target URL?
• [inurl:]
• [link:]
• [site:]
• [related:]
56. Which of the following standards is most applicable for a major credit card
company?
• FISMA
• Sarbanes-Oxley Act
• HIPAA
• PCI-DSS
58. Ivan, an evil hacker, spreads Emotet malware through the malicious script in
the organization he attacked. After infecting the device, he used Emote to
spread the infection across local networks and beyond to compromise as many
machines as possible.
He reached this thanks to a tool which is a self-extracting RAR file (containing
bypass and service components) to retrieve information related to network
resources such as writable share drives.
What tool did Ivan use?
• Credential enumerator
• Outlook scraper
• NetPass.exe
• Mail PassView
59. Which of the following frameworks contains a set of the most popular tools
that facilitate your tasks of collecting information and data from open sources?
• BeEF
• WebSploit Framework
• Speed Phish Framework
• OSINT framework
60. Identify the type of SQLi by description: This type of SQLi doesn't show any
error message. Its use may be problematic due to as it returns information
when the application is given SQL payloads that elicit a true or false response
from the server. When the attacker uses this method, an attacker can extract
confidential information by observing the responses.
• Out-of-band SQLi
• Blind SQLi
• Error-based SQLi
• Union SQLi
61. Which of the following is the best description of the final phase of every
successful hacking - Clearing tracks?
• During a cyberattack, a hacker injects a rootkit into a server.
• During a cyberattack, a hacker corrupts the event logs on all machines.
• A hacker gains access to a server through an exploitable vulnerability.
• After a system is breached, a hacker creates a backdoor.
63. What is the name of a popular tool (or rather, an entire integrated platform
written in Java) based on a proxy used to assess the security of web
applications and conduct practical testing using a variety of built-in tools?
• Nmap
• CxSAST
• Wireshark
• Burp Suite
64. Which of the following is a rootkit that adds additional code or replaces
portions of the core operating system to obscure a backdoor on a system?
• Kernel-level rootkit.
• Hypervisor-level rootkit.
• User-mode rootkit.
• Application-level Rootkit.
65. Enabling SSI directives allows developers to add dynamic code snippets to static
HTML pages without using full-fledged client or server languages. However,
suppose the server is incorrectly configured (for example, allowing the exec
directive) or the data is not strictly verified. In that case, an attacker can change
or enter directives to perform malicious actions. What kind of known attack are
we talking about?
• CRLF injection
• Server-side JS injection
• Server-side template injection
• Server-side includes injection
66. At which of the following steps of the Cyber Kill Chain is the creation of a
malware weapon, for example, such as a malicious file disguised as a financial
spreadsheet?
• Exploitation
• Delivery
• Reconnaissance
• Weaponization
67. John sends an email to his colleague Angela and wants to ensure that the
message will not be changed during the delivery process. He creates a
checksum of the message and encrypts it using asymmetric cryptography. What
key did John use to encrypt the checksum?
• His own private key.
• Angela's public key.
• Angela's private key
• His own public key.
68. Define Metasploit module used to perform arbitrary, one-off actions such as
port scanning, denial of service, SQL injection and fuzzing?
• Payload Module.
• Exploit Module.
• NOPS Module.
• Auxiliary Module.
70. Alex, a cyber security specialist, should conduct a pentest inside the network,
while he received absolutely no information about the attacked network. What
type of testing will Alex conduct?
• External, Black-box.
• Internal, White-box.
• Internal, Black-box.
• Internal, Grey-box.
74. Elon plans to make it difficult for the packet filter to determine the purpose of
the packet when scanning. Which of the following scanning techniques will Elon
use?
• SYN/FIN scanning using IP fragments.
• IPID scanning.
• ICMP scanning.
• ACK scanning.
75. The firewall prevents packets from entering the organization through certain
ports and applications. What does this firewall check?
• Application layer headers and transport layer port numbers.
• Application layer port numbers and the transport layer headers.
• Presentation layer headers and the session layer port numbers.
• Network layer headers and the session layer port numbers.
76. For the company, an important criterion is the immutability of the financial
reports sent by the financial director to the accountant. They need to be sure
that the accountant received the reports and it hasn't been changed. How can
this be achieved?
• Use a protected excel file.
• Use a hash algorithm in the document once CFO approved the financial
statements.
• Financial reports can send the financial statements twice, one by email
and the other delivered in USB and the accountant can compare both.
• Reports can send to the accountant using an exclusive USB for that
document.
77. Which of the following protocols is used in a VPN for setting up a secure
channel between two devices?
• PPP
• IPSEC
• SET
• PEM
78. Which of the following Nmap's commands allows you to most reduce the
probability of detection by IDS when scanning common ports?
• nmap -A --host-timeout 99-T1
• nmap -sT -O -T0
• nmap-A-Pn
• nmap -sT -O -T2
80. Analyze the command output below. Based on the output, what conclusion can
correctly be made about the target?